|
57 | 57 | ) { |
58 | 58 | include certmonger::server |
59 | 59 |
|
60 | | - if "$ipa_client_configured" == 'true' { |
61 | | - |
62 | | - $principal_no_slash = regsubst($principal, '\/', '_') |
| 60 | + $principal_no_slash = regsubst($principal, '\/', '_') |
63 | 61 |
|
64 | | - if $hostname == undef { |
65 | | - $subject = '' |
66 | | - } else { |
67 | | - $subject = "-N cn=${hostname}" |
68 | | - } |
| 62 | + # Only execute certmonger if IPA client is configured |
| 63 | + $onlyif = "/usr/bin/test -s /etc/ipa/default.conf" |
69 | 64 |
|
70 | | - if $seclib == 'nss' { |
71 | | - $options = "-d ${basedir}/${dbname} -n ${nickname} -p ${basedir}/${dbname}/password.conf" |
| 65 | + if $hostname == undef { |
| 66 | + $subject = '' |
| 67 | + } else { |
| 68 | + $subject = "-N cn=${hostname}" |
| 69 | + } |
72 | 70 |
|
73 | | - file {"${basedir}/${dbname}/requested": |
74 | | - ensure => directory, |
75 | | - mode => 0600, |
76 | | - owner => 0, |
77 | | - group => 0, |
78 | | - } |
79 | | - |
80 | | - # Semaphore file to determine if we've already requested a certificate. |
81 | | - file {"${basedir}/${dbname}/requested/${principal_no_slash}": |
82 | | - ensure => file, |
83 | | - mode => 0600, |
84 | | - owner => $owner_id, |
85 | | - group => $group_id, |
86 | | - require => [ |
87 | | - Exec["get_cert_nss_${title}"] |
88 | | - ], |
89 | | - } |
90 | | - exec {"get_cert_nss_${title}": |
91 | | - command => "/usr/bin/ipa-getcert request ${options} -K ${principal} ${subject}", |
92 | | - creates => "${basedir}/${dbname}/requested/${principal_no_slash}", |
93 | | - require => [ |
94 | | - Package['certmonger'], |
95 | | - File["${basedir}/${dbname}/password.conf"], |
96 | | - ], |
97 | | - } |
98 | | - } |
99 | | - elsif $seclib == 'openssl' { |
| 71 | + if $seclib == 'nss' { |
| 72 | + $options = "-d ${basedir}/${dbname} -n ${nickname} -p ${basedir}/${dbname}/password.conf" |
| 73 | + $unless = "/usr/bin/getcert list -d ${basedir}/${dbname} -n ${nickname}" |
100 | 74 |
|
101 | | - $options = "-k ${key} -f ${cert}" |
| 75 | + exec {"get_cert_nss_${title}": |
| 76 | + command => "/usr/bin/ipa-getcert request ${options} -K ${principal} ${subject}", |
| 77 | + onlyif => "${onlyif}", |
| 78 | + unless => "${unless}", |
| 79 | + require => [ |
| 80 | + Service['certmonger'], |
| 81 | + File["${basedir}/${dbname}/password.conf"], |
| 82 | + ], |
| 83 | + } |
| 84 | + } |
| 85 | + elsif $seclib == 'openssl' { |
102 | 86 |
|
103 | | - # NOTE: Order is extremely important here. If the key file exists |
104 | | - # (content doesn't matter) then certmonger will attempt to use that |
105 | | - # as the key. You could end up in a NEWLY_ADDED_NEED_KEYINFO_READ_PIN |
106 | | - # state if the key file doesn't actually contain a key. |
| 87 | + $options = "-k ${key} -f ${cert}" |
| 88 | + $unless = "/usr/bin/getcert list -f ${cert}" |
107 | 89 |
|
108 | | - file {"${cert}": |
109 | | - ensure => file, |
110 | | - mode => 0444, |
111 | | - owner => $owner_id, |
112 | | - group => $group_id, |
113 | | - } |
114 | | - file {"${key}": |
115 | | - ensure => file, |
116 | | - mode => 0440, |
117 | | - owner => $owner_id, |
118 | | - group => $group_id, |
119 | | - } |
120 | | - exec {"get_cert_openssl_${title}": |
121 | | - command => "/usr/bin/ipa-getcert request ${options} -K ${principal} ${subject}", |
122 | | - creates => [ |
123 | | - "${key}", |
124 | | - "${cert}", |
125 | | - ], |
126 | | - require => [ |
127 | | - Package['certmonger'], |
128 | | - ], |
129 | | - before => [ |
130 | | - File["${key}"], |
131 | | - File["${cert}"], |
132 | | - ], |
133 | | - notify => Exec["wait_for_certmonger_${title}"], |
134 | | - } |
| 90 | + exec {"get_cert_openssl_${title}": |
| 91 | + command => "/usr/bin/ipa-getcert request ${options} -K ${principal} ${subject}", |
| 92 | + onlyif => "${onlyif}", |
| 93 | + unless => "${unless}", |
| 94 | + require => [ |
| 95 | + Service['certmonger'], |
| 96 | + ], |
| 97 | + notify => Exec["wait_for_certmonger_${title}"], |
| 98 | + } |
135 | 99 |
|
136 | | - # We need certmonger to finish creating the key before we |
137 | | - # can proceed. Use onlyif as a way to execute multiple |
138 | | - # commands without restorting to shipping a shell script. |
139 | | - # This will call getcert to check the status of our cert |
140 | | - # 5 times. This doesn't short circuit though, so all 5 will |
141 | | - # always run, causing a 5-second delay. |
142 | | - exec {"wait_for_certmonger_${title}": |
143 | | - command => "true", |
144 | | - onlyif => [ |
145 | | - "sleep 1 && getcert list -f ${cert}", |
146 | | - "sleep 1 && getcert list -f ${cert}", |
147 | | - "sleep 1 && getcert list -f ${cert}", |
148 | | - "sleep 1 && getcert list -f ${cert}", |
149 | | - "sleep 1 && getcert list -f ${cert}", |
150 | | - ], |
151 | | - path => "/usr/bin:/bin", |
152 | | - before => [ |
153 | | - File["${key}"], |
154 | | - File["${cert}"], |
155 | | - ], |
156 | | - refreshonly => true, |
157 | | - } |
158 | | - } else { |
159 | | - fail("Unrecognized security library: ${seclib}") |
160 | | - } |
| 100 | + # We need certmonger to finish creating the key before we |
| 101 | + # can proceed. Use onlyif as a way to execute multiple |
| 102 | + # commands without restorting to shipping a shell script. |
| 103 | + # This will call getcert to check the status of our cert |
| 104 | + # 5 times. This doesn't short circuit though, so all 5 will |
| 105 | + # always run, causing a 5-second delay. |
| 106 | + exec {"wait_for_certmonger_${title}": |
| 107 | + command => "true", |
| 108 | + onlyif => [ |
| 109 | + "sleep 1 && getcert list -f ${cert}", |
| 110 | + "sleep 1 && getcert list -f ${cert}", |
| 111 | + "sleep 1 && getcert list -f ${cert}", |
| 112 | + "sleep 1 && getcert list -f ${cert}", |
| 113 | + "sleep 1 && getcert list -f ${cert}", |
| 114 | + ], |
| 115 | + path => "/usr/bin:/bin", |
| 116 | + refreshonly => true, |
| 117 | + } |
161 | 118 | } else { |
162 | | - fail("ipa not configured") |
| 119 | + fail("Unrecognized security library: ${seclib}") |
163 | 120 | } |
164 | 121 | } |
0 commit comments